CVE-2026-6381 PUBLISHED

WP Maps < 4.9.3 - Subscriber+ Local File Inclusion

Assigner: WPScan
Reserved: 15.04.2026 Published: 18.05.2026 Updated: 18.05.2026

The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.

Product Status

Vendor	Unknown
Product	WP Maps
Versions	Default: unaffected affected from 0 to 4.9.3 (excl.)

Credits

Mustafa Ahmed finder
WPScan coordinator

References

https://wpscan.com/vulnerability/18b36672-58d7-44fa-b653-b728e9ef257a/

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE